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Abstract 

We introduce knowledge flow analysis, a simple and flexible formalism for checking cryptographic 
protocols. Knowledge flows provide a uniform language for expressing the actions of principals, assump- 
tions about intruders, and the properties of cryptographic primitives. Our approach enables a generalized 
two-phase analysis: we extend the two-phase theory by identifying the necessary and sufficient proper- 
ties of a broad class of cryptographic primitives for which the theory holds. We also contribute a library 
of standard primitives and show that they satisfy our criteria. 

keywords: security protocols, intruder detection. 

1 Introduction 

One area of major successes for formal methods has been the verification of security protocols. A number of 
specialized tools have been developed in the last decade that have exposed subtle flaws in existing protocols 
(see, e.g. (^[TJl)- Many of these tools (TOUTJIISI use a two-phase approach to efficiently identify intrusion 
scenarios. 

This paper presents knowledge flow analysis, a lightweight and flexible formalism for checking crypto- 
graphic protocols. Our approach is based on a simple mathematical foundation that provides an extensible 
framework for two-phase analysis. In particular, we generalize the two-phase theory of Clarke et al [10] 
by identifying the properties of cryptographic primitives for which the theory holds. We demonstrate the 
generality of our criteria by using them to build a library of standard cryptographic primitives: public and 
symmetric encryption/decryption, signing, pair/set construction, nonce generation, and hashing. The sample 
library can be extended to include blind signing, certification, and many other functions from the rich class 
of primitives that satisfy our criteria. 

Our approach gives a uniform formalism for expressing the actions of principals, assumptions on in- 
truders, and properties of cryptographic primitives. The dynamic behavior of the protocol is described by 
an initial state of knowledge, and a collection of rules that dictate how knowledge may flow amongst prin- 
cipals. Protocol rules are embedded into the initial state of knowledge as values that can be composed and 
decomposed by a special rule primitive, which satisfies the two-phase criteria. 

The knowledge flow approach grew out of an effort to check a new cryptographic scheme fl9l fT8l . 
Knowledge flow analysis described here was the final result of a series of incremental attempts at formalizing 
and checking their assumptions using the Alloy language and tool 1241 l23l . This process drew out the 
single source axiom which, to the best of our knowledge, has not been described before: the security of 
cryptographic functions depends on the assumption that their fixed points are hard to compute. 
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The rest of the paper is structured as follows. Section 2 explains the key intuitions underlying the 
approach, using the Needham-Schroeder protocol l34ll as an example. Section 3 gives the mathematical 
foundations of the approach. Section 4 formulates and proves the two-phase theory in the knowledge flow 
context. Section 5 provides a mathematical characterization of the primitives to which the two-phase theory 
applies. Section 6 presents a sample subset of these primitives. The paper closes with a discussion of related 
work and concluding remarks. 

2 Knowledge Flow Basics 

The key idea behind knowledge flow analysis is the observation that, at the most basic level, the purpose of 
a security protocol is to distribute knowledge among its legitimate participants. A protocol is flawed if it 
allows an intruder to learn a value that is intended to remain strictly within the legitimate principals' pool 
of knowledge. To gain more intuition about knowledge flows in security applications, consider the original 
Needham-Schroeder protocol [34]: 



We have two principals, Alice and Bob, each of whom has an initial supply of knowledge. Alice's initial 
knowledge, for example, consists of her own public/private key pair VIC (A) /SIC (A), identity Ia, nonce 
Na, and Bob's public key VIC(B) and identity Ib- The purpose of the protocol is to distribute the nonces 
between Alice and Bob in such a way that the following conditions hold at the end: (i) Alice and Bob both 
know Na and Nb, and (ii) no other principal knows both nonces. 

To initiate the protocol, Alice first expands her pool of knowledge to include £p/c(B) {I A, Na), an en- 
cryption of her identity and nonce with Bob's public key. She then sends the cipher to Bob who decrypts it 
using his private key, SfC(B). At the end of the first step of the protocol, Bob's knowledge has increased 
to include the values £pjc(m(i Ai N a) and Na- Bob performs the second step of the protocol by adding 
£-PK{A){Na, Nb) to his current knowledge and sending the cipher to Alice. She uses her private key to 
decrypt Bob's message and extract Nb- By using Nb and PK(B), Alice can set up an authenticated and 
private channel with Bob as is done during the final step of the protocol in which Alice creates £-pic(B) {Nb) 
and forwards it to Bob. Both Alice and Bob now know the two nonces and share all the knowledge except 
their secret keys. 

Following the flow of knowledge in the Needham-Schroeder protocol provides a crucial insight under- 
lying our analysis method. Namely, a principal can learn a value in one of three ways; he can 

• draw the value at the start, 

• compute it using his current knowledge, or 

• learn it by communication. 

Our analysis treats the latter two ways of obtaining knowledge as equivalent. Specifically, we can think of 
Alice's computing S-pic(B) (Xa, Na) as her learning it from a principal called Encryptor whose initial pool of 
values includes all possible ciphers: Alice sends the tuple (V1C(B), (Ia,Na)) to Encryptor who responds 
by sending back the encryption of (I a, Na) with VK(B). 

Treating cryptographic primitives as principals allows us to consider the total pool of knowledge to be 
fixed. That is, the set of all values before and after the execution of a security protocol is the same; the only 
difference is the distribution of those values among the principals. Since we assume that principals never 
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Alice transmits S-pic(B) CTa> Na) to Bob 
Bob transmits £-pk(A){Na-, Nb) to Alice 
Alice transmits £-pk,{b){Nb) to Bob. 
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forget values, the set of principals who know a value at the end of a protocol session subsumes the set of 
principals who drew the value at the beginning. 

The goal of analyzing knowledge flows in a protocol is to verify that particular values never leak out of 
the honest participants' pool of knowledge. In other words, we are interested in analyzing the flow of knowl- 
edge from an intruder's perspective. This observation allows us to make sound simplifying assumptions that 
drastically reduce the effort needed to formalize a protocol in terms of knowledge flows: 

• We need not encode the flows of knowledge among the honest principals, such as the flow which 
allows Alice to learn £j>ic(A){Na, Nb) from Encryptor. Rather, we may assume that each honest 
principal draws all values in the total knowledge pool and specify protocols solely in terms of the 
intruders' knowledge flows (sections 13 . 1 1 and l3~2l . 

• We may model all adversaries, including the untrusted public network, with a single opponent whom 
we call Oscar. The soundness of this approach is formally proved in section 1331 Intuitively, the ap- 
proach makes sense if we note that the potential adversaries will be most effective when they collabo- 
rate and share knowledge among themselves. Hence, we can replace the (collaboration of) adversaries 
with a single principal who possesses all their knowledge, without excluding any intrusion scenarios. 

In our example, the flow of knowledge from the intruder's perspective starts with the protocol initial- 
ization message £-pk(b)(Ia, Na), since Oscar needs no prior knowledge to learn the first cipher that Alice 
sends to Bob. In general, because Oscar includes the untrusted public network, he learns the first message 
of the protocol for free, regardless of who its intended recipient and sender are: 

V pG {a,6},p'G{a,fe}UO [0 ~» ( T (p) , X(p) ) )] . (1) 

The variables a and b denote the honest principals (Alice and Bob), and the set O stands for Oscar. The 
notation N(e,I{p)) represents the nonce that the nonce primitive generated for the principal identified 
by T(p) using the random value e as the seed. For example, Alice's identity is 1(a) = Ia and Al- 
ice's nonce is Af(e,Z(a)) = Na- The empty set means that Oscar needs no prior knowledge to learn 

Once his pool of knowledge includes &pk.(b)(Ia, Na), Oscar learns the corresponding response, 
£pK(A) {Na, N b ). More generally 1 , 

Vp> & {a,b},p&{a,b}uo,vev [{c} -> £ VIC (p)(v,J\f(c,l(p')))] where c = £ VK(pl) (I(p),v). (2) 

The variable V denotes the set of all values, or the fixed pool of knowledge. Note that our formalization 
constrains the seed of Bob's nonce to be Alice's initialization message. This is needed to establish that 
Bob's nonce was generated in the context of the protocol session started by Alice with £-pk,(B)(Iai Na)- 
The resulting correspondence between the nonces prevents our analysis from sounding false alarms when 
Oscar legitimately obtains two nonces from Alice and Bob by running a valid protocol session with each. 
Oscar learns the final message, £-px,{B) {Nb), as a consequence of knowing £px.(A) {Na, Nb). Formally, 

Vp£{a,b},p>£{a,b}UO,veV [i £ V)C(p) C^( e > Z (p)) > v ))) ~> £viC(p')( v )] • ( 3 ) 

3 Knowledge Flow Analysis 

Knowledge flow analysis is based on a simple mathematical foundation. This section formalizes the ideas 
outlined in the discussion of knowledge flow basics. We describe how communication rules direct knowl- 
edge flows (I3.lt . show that our treatment of primitives ensures a fixed pool of values d3.2t . and formulate 
the analysis problem in terms of Oscar's knowledge flows (13.3b . 

'We use the parameter v in c instead of Af(e,I(p)) because p', the recipient of c, cannot conclusively determine that v is, in 
fact, the nonce Af(e, 1(p))- 
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3.1 Communicating Knowledge 



We denote the sets of all principals and values by P and V. A subset of P x V is a state of knowledge 
drawn from K = 2 PxV , the set of all possible states of knowledge. For a given state of knowledge k G K, 
we say that "p knows v" if (p, v) G fc. 

Definition 1 A fwp/e (R,ko) is a knowledge flow for (P,V) directed by the communication rules R C 

P x V x P x K and originating from the state ko G K. 

A communication rule describes the conditions under which one principal may gain knowledge from an- 
other. For example, the rule (e, £pjc(p b ) (v),p a , {(Pa, T > K,(pb)), (Pa,v)}) states that the encryptor e will tell 
the cipher £-p/c(b) (v) to the principal p a if p a knows pb's public key and the plaintext v. 

Note that our definition of a communication rule limits the class of protocols expressible in the knowl- 
edge flow framework. In particular, our rules cannot be used to specify conditions under which information 
is withheld from a principal, such as "a will not tell v to b if b knows x". To the best of our knowledge, no 
protocol proposed for practical use requires this form of expressiveness. 

Given a set of communication rules R, we say that k' G K is reachable from k G K via R if k' is the 
result of applying all rules in R to k at most once; i.e. k' = fn(k) where 

Definition 2 /r : K — > K such that 

(Pbi v ) £ k, k a C k, and (pi,,v,p a , k a ) G R, 



f R (k)=ku{ (p a , v) . far sQme ^ £PandkaeK 



A state of knowledge k n is reachable in the context of a knowledge flow (R, ko) if k n = /#(&q). The 
maximal state of knowledge f^(ko) is the limit of k n = f^{ko) as n — > oo. A state of knowledge (k) 
is va//<i for a knowledge flow (i?, fco) if Rk Q R and k C fc - Since /r(A;o) is monotonically increasing in 
i? and fco, any valid state of knowledge is a subset of the maximal state of knowledge. Hence, the maximal 
state of knowledge is also the smallest fixed point of fn which subsumes ko. It is evident from Definition |2] 
that self-rules such as r = (p, v,p, k p ) G R do not affect the flow of knowledge: fjt(k) = fR-i r \(k). We 
therefore assume that R does not contain any self-rules. 



3.2 Initial Knowledge 

For each value v, Source(v) = {p : (p, v) G ko} defines the set of principals who draw v. In the knowledge 
flow framework, a principal p outside of Source(v) can learn v only by communicating with principals 
who know v. We therefore treat cryptographic primitives, and other computationally feasible algorithms, 
as principals. For example, suppose that, in practice, p can compute v by applying the algorithm A to 
inputs ii,i2, ■■■ ,i n - We model A by adding the principal A to P, the tuple (A,v) to ko, and the rule 
(A,v,p,{(jp,h), (p,i 2 ), ... (P, in)}) to R. 

Our treatment of primitives ensures that Knowledge(ko) = {v : (p, v) G ko for some p G P} consists 
of all learnable values. Hence, V is the same in the initial and the maximal state of knowledge, 

Knowledge(ko) = Knowledge(f^(ko)) , (4) 

which implies that we can safely restrict our analysis to the subset of R which only involves values in 

Knowledge(ko). 

We further simplify our approach by constraining ko, and therefore R, according to standard security 
assumptions. Specifically, we assume the single source axiom for values that are fixed points of cryp- 
tographic functions. For example, if the primitive h models a hashing function TL, then we assume that 
{h} = Source(x) for all x such that x = TC(x). We thus model the assumption that solving the equation 
x = H(x) is computationally hard by stating that no principal other than h can draw x: 
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Definition 3 (Single Source Axiom) Set F p is fixed for a principal p if for each (p, v,p a , k a ) G R with 
v G F p , there exists an x G F p such that (p a , x) G k a . Fixed sets F p for p G P satisfy the single-source 
axiom if for all p G P, p a G P, and v G V, [v G F p and (p a , v) G k } => [p = p a \. 

The consequence of the single-source axiom is that no principal outside of {p} = Source(v) can ever 
learn v G F p : 

Lemma 4 If the fixed sets F p for p G P satisfy the single-source axiom, then, for all p G P, p a G P, and 

v G V, [v G F p and (p a , v) G /r(&o)] => [p = Pa and (p a , v) G k ]. 

Proof. We use induction on n. The case n = is equivalent to the single-source axiom. Suppose that the 
lemma holds for n, our induction hypothesis. Let v G F p and (p a , v) G f^ +1 (ko). According to Definition 
HI (i) {Pa, v) G fji{ko) and the lemma follows from the induction hypothesis, or (ii) there exists apj G P and 
k a G K such that (pb,v) G f^(ko), k a C f^(k ), and (pb,v,p a ,k a ) G R. From the induction hypothesis 
we infer that p = Pb and (pb,v) G ko since v e F p and G f^(ko). Hence, (p,v,p a , k a ) G R and, 

since v £ F p and F p is a fixed set for p, there exists an x G F p such that (p a ,x) G fc a C f^(k ), which 
proves p = p a by the induction hypothesis. Notice that (p a ,v) G ko because p a = P = Pb ana " (Pfe; v) G &o- 
The lemma follows by induction on n. 

□ 

Together with Equation ©, Lemma|4]implies that (A;o) = /^(^o) ^ A; U [P x (Knowledge(ko) — 
F)], where F is the union of all F p and 

Pf = {(p b ,x,p a ,k a ) G : {(Pb,x)} U fe a a u[Fx (Knowledge(k ) - F)]} . 

Hence, we need to analyze only the knowledge flows characterized by Rp. 



3.3 Adversaries' Knowledge 

Let O C P be a group of collaborating adversaries. We collapse O into a single principal o using the 
following merging function: 



Merge(p) 



o ifp G O, 
pifp^O 

Merge(k) = {(Merge(p),v) : (p,v) G k] 

Merge(r) = (Merge(p b ),v, Merge(p a ), Merge(k a )) where r = {p b ,v,p a ,k a ) G R 



The merging of adversaries does not rule out any attacks because Merge(f^(ko)) C 
fM erge (fy{Merge(ko)). We subsequently assume that Merge is implied and use P, R, and k$ to 
refer to Merge(P), Merge(R), and Merge(ko). 

Security properties of protocols are expressed as predicates on the values known to Oscar in the maximal 
state of knowledge. We therefore focus our analysis of knowledge flows to finding all the values in the 
projection of f^ F {ko) on Oscar. Specifically, we introduce the projection function g and show that its 
smallest fixed point is the image of Oscar under (ko). 

Definition 5 Let X — > x or, more explicitly, X — > p x denote the existence of a rule (p, x,o,k a ) G Rf far 
some p G P — {o} and k a G K with X = {v : (o, v) G k a }. We define g : 2 V — > 2 V as 

g(X) = IU{i:I„-> xfor some X a C X} . 

The set of values reachable from X is given by g*{X), which is the limit of g n (X) as n — > oo. 
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Since /^(feo) is monotonically increasing in R, Oscar's pool of values under /r(&o) is maximized if 
(a) Oscar tells everything he knows to the honest principals and (b) the honest principals tell each other 
all values learnable in polynomial time-which, in our framework, are the values in Knowledge(k ) — F. 
Formally, Oscar's final knowledge is maximized when [(P — {o}) x (Knowledge(ko) — F)] C /£(&())• 
This is equivalent to assuming that [(P — {o}) x (Knowledge(k ) — F)] C A; because k C f^(k ) implies 
that /* (fc ) = U fc). 

Theorem 6 (Knowledge Flow Analysis) Lef [(P — {o}) x (Knowledge(k ) — F)] C fc ^ = 
/Jj(fco)- r/ien f/ie ref X ra = : (o, v) € A; n } has the property that X n = g n (Xo). 

Proof. We use induction on n. For n = 0, X n = Xo = g n (Xo). Let X n = g n (Xo), our induction 
hypothesis. We now need to prove that X n+ i = g n+1 (Xo). By the definition of X n+ \, x G -Xn+i 
(o, x) S = fn(k n ). According to Definition |2j (o, x) G fnikn) if and only if (i) (o, x) G /c„, 

which is equivalent to x G X n , or (ii) there exists a p G P and k a £ K such that (p, x) G fc n , /c CT C 
k n , and (p,x,o,k a ) G -R. Since there are no self-rules (o,v,o,k a ) G i?, we know that p G P — {o}. 
Since [(P — {o}) x (Knowledge(ko) — F)] C C k n , (p,x) G fc n if and only if (p,x) G k^ U [P x 
(Knowledge{ko) — F)] by Lemma|4] This argument also proves that the condition k a C /c n is equivalent 
to 

■X.fj = {v : (o, u) G A; CT } C {v : (o, w) G fc n } = X n and k a C A; U [P x (Knowledge(ko) — F)]. 

Notice that {(p, x)} U C fco U [P x (Knowledge(ko) — F)] gives us (p, x, o, G Pf- Therefore, case 
ii) holds if and only if there exists a set X a C X n such that X CT x. By Definition |5j case (i) or case (ii) 
holds if and only if x G g(X n ). Hence, X n+ \ = g(X n ) and the theorem follows by induction on n. 

□ 

4 Two-Phase Theory 

The formalism developed in the previous sections enables a systematic and efficient analysis of Oscar's 
knowledge flows. Specifically, Oscar's final pool of values can be computed in two phases by first applying 
all the decomposing rules in R and then all the composing ones. This is a consequence of the 'two-phase 
theory' 1X31 ITOl . which we now formulate and prove in the knowledge flow framework. 

Intuitively, a composing rule combines its inputs into an output value from which some or all of the 
inputs can be extracted using a corresponding decomposing rule, if one exists. For example, the composing 
rule r z = {x, y} — > p x + iy, where x ^ and y ^ 0, combines the non-zero real numbers x and 
y into the complex number x + iy. The corresponding decomposing rules, r x = {x + iy} — > p x and 
r y = {x + iy] — > p y, reconstruct the inputs to r z from its output. Formally, we define composing and 
decomposing rules as follows: 

Definition 7 Let p be a principal with a partial ordering -< p on the set of values V. We call X — > p x 

• composing, if X -< p x, that is, v -< p x for all v G X, and 

• decomposing, if there exists a value v G X with x -< p v such that x G X' for all composing X' -^> p v. 
We say that v controls p x. 

Principal p is composing/decomposing if there exists a partial ordering -< p such that for all X C y and 
— > p x is composing or decomposing. 
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Our definition permits the images of composing rules of different principals to intersect. In practice, 
however, such intersections are hard to compute; that is, equations like H(z) = £k(%), where TL is a hashing 
and £ an encryption function, cannot be solved in polynomial time. We model this by assuming that the 
images of different principals' composing rules are disjoint: 

Definition 8 (Global Collision Free Axiom) Orderings -< p are globally collision free if the sets {v : 
3;r [x -<p v] } have empty intersections for different p. 

By Definition the set {v : 3 X [x -< p v]} is the image of the composing rules of a compos- 
ing/decomposing principal p. Hence, the global collision free axiom gives us the required condition that 
[X —> p v is composing and X' — y v is composing] =4» [p = p'] for all p and p' in P, X and X' in V, and 
v £ V. 

The two phase theory (Theorem^ follows immediately from Definitions and [8] It states that applying 
a decomposing rule after a corresponding composing rule yields no new information. We can therefore 
derive Oscar's maximal state of knowledge in a minimal number of steps by applying all the decomposing 
rules before their composing counterparts. 

Theorem 9 (Two-Phase Theory) Suppose that the orderings of principals in P — {o} are globally collision 
free: If X — > x is decomposing, v controls x, v £ X, X' ^ 0, and X' — ► v is composing, then x £ X'. 

Proof. Suppose that v controls^ x, X' ^ s and X' — y v is composing. Since v controls^ x, x -< p v and 
since X' — y v is composing, there exists a value x' such that x' -< p i v. The orderings ^ p and -< p i are 
globally collision free, therefore p' = p. By the definition of v controls^, x, x £ X' because X' — > p v is 
composing. 

□ 

5 Composing/Decomposing Principals 

The applicability of the two-phase theory is not restricted by its formulation in terms of com- 
posing/decomposing principals. This section presents a general criterion for identifying compos- 
ing/decomposing principals which we use in the next section to demonstrate that both standard cryptographic 
primitives and protocol rules are composing/decomposing in our framework. 

We represent composing and decomposing rules with locally collision free sets. This representation 
ensures that each decomposing rule has a corresponding composing rule (|5} and that the composing rules 
are locally free of collisions © — i.e., for all p in P, all X and X' subsets of V, and all v £ V, [X —> p 
v is composing and X' —> p v is composing] => [X = X'] . 

Definition 10 (Local Collision Free Axiom) A set S C V m is locally collision free if there exist sets C 
and D, which are subsets of {1, ... , m}, such that there exist subsets Wi C {1, . . . , m}, i £ C U D, with 
the following properties: 

for alii £ D there exists ah £ C such that h £ Wi and i £ Wh (5) 

and 

for all i,t £ C and for all (x\, . . . , x m ), (y±, . . . , y m ) £ S, 
ifxi = y t then {xj : j £ Wi} = {yj : j £ W t }. (6) 

The image Im(S) of S is defined as the set of values Xifor some (xi , . . . , Xi, . . . x m ) £ S such that i £ C. 
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An example of a locally collision free set is 

S = {(s,g(s),x,£ g{s) (x),S s (x)) :s,i^}C V 5 , 

where Q, £, and S are injective functions free of collisions; that is, Q(v) ^ £gt s \(x), Q(v) ^ S s {x), and 
£q(s){ x ) 7^ Sv(y) for all s, v, x, and y in V. Let D = {3} indicate the position in the tuples in S which 
correspond to x and let C = {2, 4, 5} indicate the positions which correspond to Q{s), £gi a \{x), and S s {x). 
Let W 3 = {1,4}, W 2 = {1}, W± = {2,3}, and W 5 = {1,3}. Since Q, £, and S are injective functions 
with disjoint images, S satisfies Condition (|5j is satisfied by taking h = 4 € C and i = 3 G D. 

The following theorem shows how a local collision free set leads to a composing/decomposing principal. 
Its proof is in Appendix 1X1 

Theorem 11 (Composing/Decomposing) Let p e P — {o} be a principal such that 

(p,v,p a ,ka) G R implies 

there exists ani G C U D and (x\, . . . , x m ) G S such that 

v = Xi, k a = {(p a ,Xj) : j E Wi}, (7) 

where S is local collision free with respect to C, D, and Wi, i S CUD. Let F p be the maximal 2 fixed set with 
F p C Im(S). Then, p is composing/decomposing; composing rules correspond to i G C and decomposing 
rules correspond to i G D. The image of the composing rules is {v : 3 X &V [ x v ]} Q Im(S). 

Applying Theorem to our example, we define the encryptor/decryptor/signer e by the 
decomposing rule (e,x,p,{(p,s),(p,£g^(x))}) and the composing rules (e,Q(s),p,{(p,s)}), 
(e,£g^(x),p,{(p,Q(s)),(p,x)}) and (e,S s (x),p, {(p, s), (p,x)}). The decomposing rule corresponds 
to the position 3 G D and models decryption; the composing rules correspond to the positions 2 G C, 
4 G C, and 5 G C and model public key generation, encryption, and signing. The principal e is therefore 
composing/decomposing, and the two-phase theory holds for £, Q, and S. 

The composing/decomposing theorem is compatible with the knowledge flow theorem if the fixed set 
F p satisfies the single source axiom. In Appendix El we show that this is equivalent to assuming that it is 
hard to solve the equation x = w{x) where w(x) = S a {£b{G {£g(s c (x)){d)))) is some function composed of 
Q, £, and S. 

6 Primitives 

We now present a sample library of composing/decomposing primitives, which is sufficient for modeling 
a wide range of security protocols. The library includes the standard cryptographic primitives: encryp- 
tion/decryption, signing, pair/set construction, nonce generation, and hashing. It also provides a special rule 
primitive that allows protocol rules to be modeled in the composing/decomposing pattern. 

6.1 Cryptographic Primitives 

Encryption/Decryption Public key encryption [31 1 consists of a (probabilistic) encryption algorithm, a 
decryption algorithm, and a (probabilistic) key-generating algorithm. Given some security parameter, the 
key-generating algorithm generates a public-secret key pair. We model p's private key SK{p) as belonging 
to p's initial knowledge, (p,SK,(p)) G ko. We model the public key as a one-way function of the secret 
key, i.e., VK,(p) = Q(SK(p)). Hence, one can compute a corresponding public key from the given secret 

2 There exists a unique maximal fixed set since the union of two fixed sets is again a fixed set. 
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key but not vice versa. Letting e denote the principal representing public key encryption, we can express 
key-generation as follows: for all p G P and s G V, (e, G(s),p, {(p, s)}) G R. If we project this family of 
rules on Oscar, we obtain 

V se y [{s} -» G(s)}. (8) 

Given a plaintext x and a public key Q{s), the encryption algorithm computes the cipher- 
text 3 £gt s \(x). Thus, the parameterized rule for encryption is, for all p G P and s,x G V, 
(e, £g^(x),p, {(p,G(s)), (p, x)}) G P. Projecting the rule on Oscar yields 

V s ,, 6 y[{x,S( S )}^% s) (x)]. (9) 

Given a ciphertext £g( s )(x) and the secret key s, the decryption algorithm computes the plaintext x. 
Hence, for all p £ P and s, x <G V, (e, x,p, {(p, s), (p,£g( s ) (%))}) £ R an d 

V s ,xgv [{s,£g(s)(x)} -> x]. (10) 

Signing We can model digital signatures lOTI by extending e with the rules of the form 

(e,S 8 (x),p, {(p, s), (p, x)}) G R, for all p G P and s, x G V, which translate into 

V„ e y [{x,s} -> <S s (x)]. (11) 

In practice, the principal who receives a; and its signature S s (x) can verify the signature by using the public 
key G(s). In our model, it is sufficient to note that knowledge of y = S s (x) already verifies that y is a 
signature of x, signed by using the secret key s. That is, the principal who obtained y from e knows both s 
and x. 

Symmetric key encryption is modeled by © and (flOl where G(s) is replaced by s and where s represents 
the symmetric key. We can extend this definition with (lilt to include message authentication codes (MACs). 

Pairing/Set Construction Let t be a principal such that a communication rule (t, v,p a , k a ) is in R if and 
only if one of the following holds for v G V, p a G P, and k a G K: (i) v = (x, y) and k a = {(p a ,x), (p a ,y)} 
for some x, y G V, (ii) k a = {(p a , (v, y))} for some y G V, or (iii) k a = {(p a , (x, v))} for some x G V. 
Projected on Oscar, this set of rules becomes 

Vx, y ev [{x,y} -> {x,y)], (12) 
Vx,y€V [{(x,y)} -> x], (13) 
V^ey [{(x,y)} ^y]. (14) 

Replacing (x, y) by {x, y} in (I12ll4t turns t into a primitive that generates sets of cardinality 2. 
Nonce Generation Let T{p) G V represent the public identity of p (the identity function I em- 
beds P in V). We model nonce generation with the nonce primitive n and the parameterized rule 

V p eP,t>ev( n i N"(v,Z(p)),p, {(p, v)}) G R, which translates into 

V P eo,vev [{v}^M(v,l(p))\. (15) 

The dependence of n's output on T{p) ensures that p cannot learn other principals' nonces from n. The 
parameter v represents the seed from which a pseudo random nonce is generated. If a protocol stipulates 
that a principal p needs to generate a new nonce in response to a received message m, then v is taken to be 
equal to m. For the first nonce of a protocol, we take v to be the empty string e. 

Hashing We define the primitive h for calculating hashes TC(x) with the family of rules 

y p ep,xev (h,H(x),p,{(p,x)}) G R and 

W [{x} (16) 



3 If the algorithm is probabilistic (for example in ElGamal encryption) then the ciphertext £gi 3 \(x; r) is also a function of some 
random value r (uniformly) drawn by the algorithm. 
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6.2 The Rule Primitive 



Protocol rules do not compute new values; rather, they model the transmission of values computed by the 
primitives. We can therefore embed protocol rules into the initial state of knowledge as follows. 

With each (parameterized) protocol rule x — > y, we associate the value \x — ► y| G V. This value is 
composed/decomposed by the rule primitive r via the parameterized rules 

V P eP,x,yeV {r, \x -» y|,p, {(p,x), (p,y)}) G .Rand 

V p6 p,x,j/ey (r,y,p,{(p, |x ->■ y|), (p,x)}) G i? 5 

whose projected forms are 

Vx, y ev [{x, y} -> |x -> y|] and (17) 

V^.yey [{a;, |x -> y|} -> y]. (18) 

We represent each protocol rule x — > y with the initial knowledge (o, |cc — > y|). Oscar can now use 
(fT8l to learn y from |ac — > y| if he knows x. For example, the following addition to fco, together with ill 8b . 
simulates the rule © of the Needham-Schroeder protocol: 

Vp£{a,b},p'e{a,b}UO,v£V 



6.3 Summary 

The rules (I8l- (ll8t define a library of primitives — e, t, n, h and r — that are composing/decomposing accord- 
ing to Theorem^J The following assumptions are implicit in their definitions: 

The Collision Free Axioms It is hard to compute collisions of the composition rules ©, (fTTT i. (fT2t . 

(fT3b . (fT6l and (fT7b . Therefore, we model these rules as injective functions that are mutually free of 

collisions; that is, they satisfy the local and global collision free axioms. 
The Single Source Axiom It is hard to compute fixed points of functional compositions of the rules ©, 
dTTT> . (fl2l . (fT3l . (fT6b and (fTTl . The principals e, t, n, /i and r hence satisfy the single-source 

axiom. 

Cryptographic Primitive Properties It is hard to compute the inverses that are not encoded by the decom- 
position rules (flOl . (fT3b . and (fT4b . The rules (l8lfT4t represent Oscar's computational means in The 
Dolev-Yao intruder model [ 14 1. This assumes perfect cryptography: the set of values is supposed to 
be a free algebra. 

Collision freeness and perfect cryptography are routinely assumed when reasoning about security pro- 
tocols. To the best of our knowledge, however, the necessity of assuming the single source axiom has not 
been recognized before. We discovered it using the Alloy Analyzer [23], a general purpose model finder, to 
check a security theorem about knowledge flows in the CPUFs renewal protocol JT9l[T8l : in the absence of 
the axiom, the Analyzer generates a false counterexample to the theorem based on a fixed value that satisfies 
the equation x = £ s (x). 



7 Related Work 

The first formalisms designed for reasoning about cryptographic protocols are belief logics such as BAN 
logic [8], used by the Convince tool [25| with the HOL theorem prover [22|, and its generalizations (GNY 
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I2T1 . AT 0, and SVO logic EJJ which the C3PO tool 021 employs with the Isabelle theorem prover l37l ). 
Belief logics are difficult to use since the logical form of a protocol does not correspond to the protocol itself 
in an obvious way. Almost indistinguishable formulations of the same problem lead to different results. It 
is also hard to know if a formulation is over constrained or if any important assumptions are missing. BAN 
logic and its derivatives cannot deal with security flaws resulting from interleaving of protocol steps [ 7 1 and 
cannot express any properties of protocols other than authentication [28 1. To overcome these limitations, 
the knowledge flow formalism has, like other approaches i2"71l331[TTlHI)ll3Ul . a concrete operational model 
of protocol execution. Our model also includes a description of how the honest participants in the protocol 
behave and a description of how an adversary can interfere with the execution of the protocol. 

Specialized model checkers such as Casper [27], Mur</> l33l . Brutus 1111 . TAPS 1121 . and ProVerif Q 
have been successfully used to analyze security protocols. These tools are based on state space exploration 
which leads to an exponential complexity. Athena [ 40 1 is based on a modification of the strand space model 
[ 16 1. Even though it reduces the state space explosion problem, it remains exponential. Multiset rewriting 
lfT5l in combination with tree automata is used in Timbuk 1171 . The relation between multiset rewriting 
and strand spaces is analyzed in [9[. The relation between multiset rewriting and process algebras 1321 121 is 
analyzed in 0. 

Proof building tools such as NRL, based on Prolog [30|, have also been helpful for analyzing security 
protocols. However, they are not fully automatic and often require extensive user intervention. Model 
checkers lead to completely automated tools which generate counterexamples if a protocol is flawed. For 
theorem-proving-based approaches, counterexamples are hard to produce. 

For completeness, we note that if the initial knowledge of the intruder consists of a finite number of 
explicit (non-parameterized, non-symbolic) values, then a polynomial time intruder detection algorithm can 
be shown to exist using a generalization of the proof normalization arguments l29l l4l l20l . which were 
employed in l6l l35ll and have been implemented in the framework [36] (our two phase theorem can also 
be used to derive a polynomial time algorithm). However, in practice, the initial knowledge of an intruder 
is unbounded and represented by a finite number of parameterized sets, each having an infinite number of 
elements. 

8 Concluding Remarks 

We introduced knowledge flow analysis, a new framework for reasoning about knowledge in cryptographic 
protocols. The key advantage of the knowledge flow approach over other formalisms is its simplicity and 
flexibility. It is simple in the sense that the underlying mathematics is straightforward and elementary; it 
does not require any specialized background (in logic). It is flexible in the sense that the same library of 
cryptographic primitives can be used to model different protocols and that the security of a complex scheme 
involving multiple protocols can be verified. Knowledge flow analysis allows modeling of confidentiality 
and authenticity via a wide range of primitives such as pairing, union, hashing, symmetric key encryption, 
public key encryption, MACs and digital signatures. 

Our formalism derives its simplicity from being just sufficiently expressive to enable modeling of prac- 
tical cryptographic protocols. In particular, existentials [ 15 ] cannot be encoded as knowledge flows; existen- 
tials are implicitly modeled in Oscar's initial knowledge. NP-hardness proofs which use (existential) Horn 
clause reduction [ 15 1 or SAT3 reduction [39] are not applicable to knowledge flow analysis. 

Our formalism leads to a rigorous mathematical treatment and generalization of the two-phase theory 
1731 HOI which is used to efficiently verify protocols. Our treatment reveals the necessary and sufficient 
collision free and single source axioms; it is hard to compute collisions and fixed points of compositions of 
cryptographic primitives. To the best of our knowledge the necessity of assuming the single source axiom 
has not been recognized before. 
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A Fixed Sets and Orderings 



To prove Theorem ^2 we define a sequence of subsets which we use to define a partial ordering and to 
characterize a fixed set. 

Definition 12 Let S be locally collision free with respect to C, D, and Wi, i £ C U D. We define S n C V 
recursively by S_i = 0, 

So = V — Im{S) = V — {xi : i G C and there exists a tuple (x\, . . . , x m ) G S}, 

and, for n > 0, 

i 6 C and there exists a (x±, . . . , x m ) G 5 1 
swc/j ?/iaf Xj G S n for j G Wj J 

We define Soo = {v G V : f G S n for some n > 0}. 

We first show in Lemma [l4l that 1/ — Soo is a fixed set. We start with a result which we use throughout 
the whole proof. 

Lemma 13 Let i G C, (xi, . . . , x m ) G S, and Xi G Soo- Then (i) Xi G S n +i — S n for some n > arccf (ii) 
xj G S n for all j G Wj a«<i ?/jere exists a h G Wj swc/j f/zaf i(, £ 5„ - S n _i. 

Proof, (i) Since i £ C , Xi ^ Sq which proves n > 0. (ii) Let k > be the smallest index for which Xj G S& 
for all j G Wi. Then, there exists an index h G Wi such that x^ G S^ — Sfc-i- Notice that Xj G Sfc+i by the 
definition of Sfc+i. Therefore, if k < n then Xi G S'fc+i Cj S n , contradicting Xj G S n+ i — S n . This proves 
n < k. 

From the definition of Xi G S n +i — S n we infer that there exists at G C, (yi, . . . , y m ) G S such that 
Xj = yt and j/j G S n for j G Wi. Since i G C, i G C, and Xj = y^, © yields x^ G {xj : j G Wj} = {yj : 
j G Wj} C S n . From x/j G Sk — Sfc-i, we infer n > k. We conclude n = k which proves the lemma. 

□ 

Lemma 14 V — Soo is a fixed set for p. 

Proof. Let (p, v,p a , k a ) G -R with v G V — Soo- From Q we infer that there exists an i G C U D and 
(xi, . . . , x m ) G S such that v = Xi and A; a = {(p a , xj) : j G Wi}. If i G C and Xj G Soo for all j G Wi, 
then, by the definition of Soo, x, G Soo, which contradicts x, = t> G V — S'oo. Hence, if i G C then 
Xj G V — Soo for some j £ Wi. 

If i £ D, then (|5} shows the existence of a /i G C with % G and h £ Wi. From z G W^ and h £ C 
we infer that if x^ G S'oo then, by Lemma IT3l(ii). Xj G Soo, which contradicts Xj = v £ V — Soo- Hence, 
Xj £ V — Soo for some j £ Wi. 

□ 

Let F p be the maximal fixed set such that F p C V — So = Im(S). Then Lemma IT4l proves that 
V — Soo C F p , hence, V — _F p C Sqo- Notice that X — > p x (defined by using Rp) implies that there exists 
a rule (p, x, o, k a ) £ R such that X = {v : (o, v) £ k a } and X n F p = 0. Since F p is a fixed set, x £ F p 
contradicts X n F p = 0. Thus, for X ^ p x, both x g" F p and X n F p = 0, that is x G Soo and X C Soo- 

Sets S n lead to the partial ordering 

[n ^ p to] = [v £ S a — S a -i and w £ Sb — Sb-i for some < a < b]. 

Notice that {v : 3 x eV [ x v }} ^ V — So = Im(S). Theorem fTTI follows from Lemmas [T5lfT6l which 
prove that p is composing/decomposing. 



So 



+i 



s„u 
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Lemma 15 Let {x\, . . . , x m ) G S with {xj : j G — > p Xj. Then, {xj : j G Wi} — > p Xi is composing if 
and only if i G C. 

Proof. Suppose that i £ C. Since {xj : j G If,} ^ p Xj, Xi G S^. By Lemma IT3"1(T). Xi G S n+ i — S n 
for some n > 0, by Lemma [T3l(ii). {xj : j G Wi} -< p Xj, which proves that {xj : j G Wi} -^ p Xi is 
composing. 

Suppose that {xj : j G Wi} —> p Xi is composing, that is, {xj : j G Wi} -< p Xi. If i G D, then by © 
there exists ah G C with h G W, and i G W^. Since jx,,- : j G Wj} — > p Xj, x^ G Sqo and by Lemma PHI 
(i), G 5 n+ i — 5 n for some n > 0. By Lemma[T3l(n). Xj G {xj : j G H 7 ^} C S n , hence, Xj -< p x^. This 
contradicts {xj : j * G Wi} -< p Xj and we conclude that i D, that is, i G C. 

□ 

Lemma 16 Lef (xi, . . . , x m ) G S with {xj : j G Wi} -^ p Xj. Then, {xj : j G Wi} — > p Xj jj decomposing 
if and only ifi^D. 

Proof. We prove {xj : j G W$} — > p x, is decomposing for i G D. Then, the lemma follows from Lemma 
EJsince i ^ D ■{==> i G C lead to composing rules. By ©, there exists a /i G C with h £ Wi and i G W^. 
By Lemma[T3l(T). x^ G S'n+i — S n for some n > 0. By Lemma [T3l(ii) Xj G SVi, hence, x; t -< p Xh- 

To prove the lemma we show that x^ controls p Xj. Let {?/.,• : j G Wf} ^ p yt = x^ be composing, 
hence, t G C by Lemma[T31 Then (|6ll with h £ C and x/j = y t states {xj : j G W^} = {yj : j G Wt}. This 
proves Xj G {j/j : j G Wf} and we conclude that x^ controls^ Xj. 

□ 

The composing/decomposing theorem is compatible with the knowledge flow theorem if F p satisfies the 
single source axiom. We need to show that it is hard to compute an element vq G F p . First, observe that 
locally collision free sets often satisfy the following condition that is slightly stronger than (|6j; for each 
i G C there exists an injective function Ci such that Ci((xj)j^Wi) = %i for (xi, . . . , x m ) G S and such that 
the image of q has an empty intersection with the images of Cj, j ^ i; Im(S) is equal to the union of the 
images of Cj, i G C. 

Since F p C Im(S), vq = q(xi, . . . , x m ) for some i £ C. Since F p is a fixed set, v\ G F p for some 
v\ = Xj. Thus, t>o = <7o(^i) f° r some function derived from Cj. By continuing this argument we obtain a 
sequence of elements vq = qo{v\),vi = qiiv^), ■ ■ ■ In practise, the domain of the functions Cj, i G C, has a 
finite size. Thus there exist j < h with Vj = Vh, that is, Vj is a fixed point of the equation x = w(x) where 
w(x) = qj(qj + i(. . . qh-i{x) . . .)) is some function composed of Cj, i G C. So, the single source axiom is 
satisfied if it is hard to compute compositions qo(qi(- ■ ■ qj-i(x) . . .)) with x = w(x). 
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